34 - idnog03 - fakrul alam (apnic) - securing global routing system and operators approach
TRANSCRIPT
Issue Date:
Revision:
Securing the Global Routing System and the Approach of Operators
Fakrul AlamSenior Training [email protected]
[20 July 2016]
[2.0]
IDNOG328 July 2016, Jakarta, Indonesia
Incidents
2
Motivations!
3
Current practice
4
Receive Request
LOA Check
Create associate Prefix / AS
Filter
Tools & techniques
• Manual LoA Check– Whois search on the customer’s IP address from the IRR database– Find the admin-c / tech-c contact email address from the database
search and email them for verification– Check corresponding “route objects”
• Automated LoA Check– Fetch the routing policy from the IRR Database– Generate associate prefix/AS filter– Mostly done using RPSL
• RPKI– Check and validate prefix origin cryptographically
5
LoA check
6
• The system is sometimes overly complicated, and lacks sufficient examples
• End users cannot figure it out, which means another layer of support structure must be added, or proxy registration must be implemented
LoA check & RPSL
7
A publicly accessible description of every import and export policy to every transit, peer, and customer is difficult to maintain, and is not in the best business interests of many ISPs
RPKI implementation
• Origin validation
• Hosted CA– Easy to deploy, but have to trust a third party with your private key
• Delegated– Complexity in installing the CA, generating ROAs, and publishing URI
and point TA
• Upgrade at least ASBRs to RPKI capable code
8
Technology & learning curve
9
RPSL RFC2622
RPSLng RFC4012
RPKI RFC6810
But how are operators adopting and implementing?
10
Distribution of prefixes
11
Total Prefixes : 650772 / 6th July 2016
Prefixes with IRR data
12
Violations: 80794 (19.53%)
Consistent: 332981 (80.47%)
IRR data violations example
13
Prefixes with RPKI
14
Violations: 775 (3.82%)
Consistent: 19522 (96.18%)
Violations: 2398 (13.56%)
Consistent: 15289 (86.44%)
RPKI data violation example
• Most of the cases involve an invalid prefix (fixed length mismatch)– Create ROA for /22 but announce 24
• Invalid origin AS is also visible
15
RPKI data violation example
16
How about Indonesia?
17
Indonesia
18
http://rpki.apnictraining.net/output/id.html
Total ASNs delegated by RIR: 166Visible IPv4 routes: 7305Visible IPv6 routes: 299
IPv4 prefixes announcement
19
source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gzdate : 21 June 2016
1 1 5 10 75 12 36 68 340 533981
1243
3995
1 1 30
500
1000
1500
2000
2500
3000
3500
4000
4500
SUBNET 11 13 14 15 16 17 18 19 20 21 22 23 24 26 27 29
IPV4 PREFIXES DISTRIBUTION BY SUBNET
IPv6 prefixes announcement
20
source : http://www.ris.ripe.net/dumps/riswhoisdump.IPv6.gzdate : 21 June 2016
1
26
5 2 5
27
13 2 3
114
523
4
50
3 160
20
40
60
80
100
120
SUBNET 31 32 33 34 36 38 40 44 47 48 60 64 125 126 127 128
IPV6 PREFIXES DISTRIBUTION BY SUBNET
Summary
• RPKI adoption is growing– In most cases, operators create ROAs for min length and advertise
the longest prefix– Some ROAs are invalid due to further allocation to customers
• BGP operations and security – draft-ietf-opsec-bgp-security-07
21
Data collection
• OpenBMP– https://github.com/OpenBMP/openbmp
• RPKI Dashboard– https://github.com/remydb/RPKI-Dashboard
• RIPE NCC RPKI Statistics– https://lirportal.ripe.net/certification/content/static/statistics/world-
roas.html
• RIPE NCC RPKI Validator API– http://rpki-validator.apnictraining.net:8080/export
22
Thank You
Your views matter!
Closes 5 August 2016 Your views guide the future direction of APNIC
https://survey.apnic.net
24